Disclaimer: This article is intended for informational purposes only and does not constitute legal advice. For specific legal determinations, please consult an attorney well-versed in Lao law. Translations of laws and regulations are reference translations by the author; the Lao-language versions are the authoritative texts.

For companies operating in Laos, digital-related laws and regulations are an area that is rapidly being developed.

The Personal Data Protection Law (PDP Law) has come into force. The Lao National Assembly passed and enacted the Personal Data Protection Law (Source: Rajah & Tann Asia). This makes Laos one of the countries in ASEAN with a comprehensive data protection law, following Thailand and Vietnam.

In addition, the existing three laws — the Electronic Data Protection Law (2017), the Cybercrime Law (2015), and the Electronic Transactions Law (2012) — remain in effect, forming a multi-layered regulatory framework alongside the new law. Furthermore, a new Cybersecurity Law is currently under deliberation in the National Assembly (Source: KPL), and digital regulation continues to be strengthened.

This article organizes Laos's digital-related laws and regulations into a checklist of 25 items. It is designed as a practical tool for executives and legal officers to review their company's data management and AI usage, and to identify any compliance gaps.

This checklist consists of the following 3 categories and 25 items in total.

How to use: Work through each ☐ item in order to identify any gaps in compliance. For items that are difficult to assess internally, consulting a local attorney well-versed in Lao law is recommended. If you need a PDF version of the checklist, it can be downloaded via the CTA at the bottom of the page.

To understand Laos's digital regulations, it is important to note that they are built on a combination of four laws.

In addition, a new Cybersecurity Law (10 parts, 11 chapters, 79 articles) is currently under deliberation in the National Assembly; if enacted, it will add a dedicated legal framework for cybersecurity (Source: KPL).

The Personal Data Protection Law is a comprehensive personal data protection law passed by the Lao National Assembly, elevating the previous Electronic Data Protection Law (2017) and decree-level regulations into formal legislation (Source: Rajah & Tann Asia).

Key provisions:

• Scope: Applies to both the public and private sectors
• Definition of personal data: Data that can identify an individual (name, ID number, location information, etc.)
• Consent requirement: In principle, the data subject's consent is required for data processing
• Data subject rights: Rights to rectification, restriction of processing, and erasure are codified
• Cross-border transfers: Transfer of data outside the country requires assessment and approval
• Supervisory authority: A data protection authority under the Ministry of Technology and Communications (MoTC)
• Penalties: Administrative penalties (LAK 25 million to 100 million), with criminal penalties (including imprisonment) for serious violations

The previous Electronic Data Protection Law (No. 25/NA, enacted in 2017) remains in effect and, together with the PDP Law, forms the two pillars of Laos's data protection framework (Sources: DLA Piper, ILO NATLEX).

When building data infrastructure for clients, a number of local IT vendors were unaware of the existence of the Electronic Data Protection Law. While the enforcement of the PDP Law has brought greater clarity to legal obligations, there remains a gap in practical awareness on the ground.

The Cybercrime Law (enacted in 2015) is a law that regulates unauthorized access and data tampering through criminal penalties. It also serves as the legal basis for establishing LaoCERT (National Computer Emergency Response Team) (Source: Council of Europe, Digital Watch Observatory).

Key points for businesses to note:

• Prohibition of unauthorized access: Covers not only unauthorized intrusion into company systems, but also employees accessing data beyond their authorized permissions
• Data tampering and destruction: Criminal liability for intentional data manipulation
• Incident reporting: Obligation to report cyberattacks to the authorities
• Evidence preservation: Obligation to preserve and submit electronic evidence
• Penalties: Stipulates fines and imprisonment sentences commensurate with the severity of the violation

It should be noted that a new Cybersecurity Law (consisting of 10 parts, 11 chapters, and 79 articles) is currently under deliberation in the National Assembly; if enacted, it will further strengthen the technical standards for cybersecurity and the legal framework for emergency response (Source: KPL).

For details on the realities of smartphone fraud in Laos and countermeasures, a related article provides an in-depth explanation of cases involving the application of the Cybercrime Law.

The Electronic Transactions Law (enacted in 2012) is a foundational law that establishes the legal validity of electronic signatures and electronic contracts. The E-Commerce Decree (effective 2021) adds a registration system for online businesses and consumer protection provisions (source: VDB Loi).

• Validity of Electronic Signatures: Electronic signatures meeting certain requirements carry the same legal effect as handwritten signatures
• Electronic Contracts: Clarifies the requirements for contract formation conducted online
• Consumer Protection: Information disclosure obligations for e-commerce businesses, and return/refund rules (strengthened by the E-Commerce Decree)
• Business Registration: Online retailers are required to complete electronic registration (E-Commerce Decree)
• Data Retention: Requirements regarding the electronic storage of transaction records

Laos has joined the ranks of ASEAN member states with a comprehensive data protection law through the enforcement of its Personal Data Protection Law (PDP Law) (Source: Rajah & Tann Asia).

To summarize the current landscape:

The PDP Law complements the existing Electronic Data Protection Law (2017) by comprehensively regulating the definition of personal data, consent requirements, data subject rights, cross-border transfer requirements, and penalties.

What this means for businesses: The conventional assumption that "Laos has no comprehensive law" is now entirely a thing of the past. With the enforcement of the PDP Law, reviewing compliance frameworks is no longer a matter of "preparing for the future" — it is a present legal obligation. The Ministry of Technology and Communications (MoTC) serves as the supervisory authority, and registration with the data protection authority is also mandatory (Source: DLA Piper).

Based on Laos's Personal Data Protection Law (PDP Law) and Electronic Data Protection Law, this document organizes the data protection items that companies should verify. With the enforcement of the PDP Law, the following checklist items are not recommendations but legal obligations.

☐ Item 1: Is the purpose of collecting personal data explicitly documented?

The PDP Law requires a legal basis for processing personal data, and it is necessary to document "for what purpose" and "to what extent" each type of collected data will be used. Collection based on vague justifications such as "we might use it in the future" is not permitted.

☐ Item 2: Has consent been obtained from the data subject?

Under the PDP Law, valid consent from the data subject is generally required for the processing of personal data. Records of consent obtained (when and to what extent consent was given) must also be retained. Data subjects are also legally granted the right to withdraw consent (Source: DLA Piper).

In a Laos project, there was a client who operated without a Lao-language version of the consent form, using only English. Local staff were unable to understand the content, resulting in consent that was merely a formality — providing explanations in the local language is essential to ensuring the substantive validity of consent.

☐ Item 3: Is the data collected limited to the minimum necessary?

Verify that data unnecessary for business operations — such as sensitive data including religion, ethnicity, and health information — is not being collected. The PDP Law requires additional protective measures for the processing of sensitive data, and cases where HR systems are configured to have "all fields filled in by default" should be reviewed.

☐ Item 4: Is a privacy policy presented at the time of data collection?

The PDP Law requires transparency in data processing activities. Regardless of the collection method — whether via website, app, or paper form — the privacy policy must be made accessible to the data subject. Providing a Lao-language version is mandatory.

☐ Item 5: Have you defined where and for how long data is stored?

Clarify "where" and "until when" data is retained. The PDP Law mandates the registration of data processing activities, and identifying storage locations is part of the registration requirements. If you are using cloud services, you must also be aware of the physical location of the data centers.

☐ Item 6: Are access permissions managed according to the principle of least privilege?

A state in which "everyone can access all data" risks violating the security management measure requirements of the PDP Law. Set access permissions by department and job title, and conduct regular reviews.

☐ Item 7: Have you implemented data encryption and security management measures?

The PDP Law requires the implementation of appropriate security measures (source: DLA Piper). Both encryption at rest and encryption in transit are recommended. In particular, since internet connectivity can be unstable in some areas within Laos, ensuring the security of communication channels is critical.

☐ Item 8: Have you identified whether cross-border transfers of personal data are taking place?

Simply using SaaS tools (such as Google Workspace and Salesforce) results in data being transferred outside the country. The PDP Law requires assessment and approval for cross-border transfers (source: DLA Piper), making it necessary to inventory the data storage locations for all services your organization uses.

☐ Item 9: Have you verified the level of data protection in the countries or regions to which data is transferred cross-border?

The PDP Law imposes conditions on cross-border transfers, requiring confirmation of whether the destination country has an adequate data protection framework or whether contractual safeguards are in place. Even under the previous Electronic Data Protection Law, the consent of the data subject was mandatory for cross-border transfers.

☐ Item 10: Have you established rules governing data sharing among group companies?

Data sharing with a parent company (in Japan, Thailand, etc.) also constitutes a cross-border transfer. The assumption that "it's fine because it's within the group" is incorrect. Data sharing agreements must be concluded between group companies, and the legal basis for the transfer must be clearly defined.

Five years ago, when sharing confidential information on a project in Laos, I was told that "the scope of sharing is not specified in the contract," and we had to hastily draw up an additional data processing agreement. Reactive, after-the-fact responses come at a cost — both in effort and in trust.

There are no AI-specific regulatory laws in Laos. However, legal liability related to AI use can arise under the framework of the PDP Law, the Electronic Data Protection Law, the Cybercrime Law, and general contract and labor laws. At the ASEAN level, DEFA includes common principles for AI governance (Source: WEF), and these are expected to be reflected in Laos domestic law going forward.

☐ Item 11: Have you identified the types of data processed by your AI systems?

When AI processes personal data, it falls under the PDP Law. You should take inventory of the types and volume of data handled by AI—such as in chatbots, recruitment screening, and customer analytics—and ensure these are included in the registration of data processing activities.

☐ Item 12: Have you incorporated human oversight into AI decision-making processes?

While Laos does not have a "high-risk AI" classification equivalent to the EU AI Act, the DEFA includes common principles for AI governance (sources: WEF, ASEAN official), and there is a possibility that ASEAN-level regulations will be reflected in domestic law going forward. It is strongly recommended to incorporate human review into AI decisions that have significant impact on individuals, such as personnel evaluations, credit assessments, and medical diagnoses.

For a comparison with the EU AI Act and trends in global AI governance, see the related article on AI governance.

☐ Item 13: Do your contracts with AI vendors include data processing clauses?

When using external AI services (such as the ChatGPT API, Claude API, etc.), verify through your contracts how input data is processed on the vendor's side. The PDP Law also requires management of data processing subcontractors, and a particularly important point to confirm is whether your data will be used for model training.

☐ Item 14: Have you clarified the attribution of copyright and intellectual property rights for AI-generated content?

Laos copyright law does not clearly stipulate the attribution of rights for AI-generated works. Establish internal usage rules, including how AI-generated works are credited (e.g., whose output they are treated as) and the disclosure policy when publishing externally.

☐ Item 15: Is there a fact-checking system in place for AI output?

Submitting AI-generated information as-is to customers or government agencies creates liability risks due to potential misinformation. Particularly when using AI output for legal documents or official applications, a review process by qualified professionals should be mandatory.

☐ Item 16: Have you defined which AI tools employees are permitted to use for work purposes?

Unauthorized use of AI tools (shadow AI) can lead to unintended data leakage under the PDP Law. Create a list of approved tools and establish usage rules, including a clear definition of what types of information must not be entered into them.

☐ Item 17: Have you implemented training and education on AI usage?

Having a policy in place alone is not sufficient. For local staff in Laos in particular, it is necessary to prepare training materials in Lao and ensure they understand the risks associated with AI usage and how to use it appropriately.

☐ Item 18: Have you established a reporting flow for incidents arising from AI usage?

Define an escalation flow to address AI-specific incidents, such as damages caused by AI misjudgment or data leakage via AI. Integrating this with the existing cybersecurity incident reporting flow is a practical approach. If the new Cybersecurity Law is enacted, the legal requirements for incident reporting are expected to be further clarified (Source: KPL).

For technical countermeasures related to AI security, supplementary guidance is provided in the Laos AI Security Checklist.

Focusing on the Cybercrime Law (enacted in 2015), we examine corporate security frameworks. A new Cybersecurity Law is currently under deliberation in the National Assembly (Source: KPL), and if enacted, it will further clarify technical standards and emergency response requirements.

☐ Item 19: Are you aware of the reporting contacts and deadlines for cyber incidents?

The reporting contact for cyber incidents is LaoCERT (National Computer Emergency Response Team), under the Ministry of Technology and Communications (MoTC). LaoCERT is also a member of APCERT (Asia Pacific CERT) (Sources: LaoCERT official, APCERT). The latest contact information and reporting procedures can be confirmed on the LaoCERT official website (laocert.gov.la). It is too late to start looking this up after an incident has already occurred.

☐ Item 20: Have you developed an Incident Response Plan (IRP) and conducted regular drills?

It is not enough to simply develop a plan — conduct drills (tabletop exercises) at least once a year. Given Laos's telecommunications environment, emergency communication channels with headquarters may differ from normal operations — include satellite communications and offline communication methods in your plan as well.

☐ Item 21: Have you established log retention periods and preservation procedures?

The Cybercrime Law (2015) requires the preservation of electronic evidence. Retention periods must comply with the relevant provisions and authority guidelines; however, in practice, retaining logs for at least approximately one year is generally recommended. Ensure you have the systems in place to respond to submission requests from investigative authorities.

☐ Item 22: Have you implemented a firewall and intrusion detection/prevention system (IDS/IPS)?

In addition to basic perimeter defense, a design that accounts for the network characteristics specific to Laos (unstable bandwidth, diversity of ISPs) is necessary. There may be significant differences in communication quality between offices in Vientiane and regional locations.

☐ Item 23: Are software vulnerability patches applied on a regular basis?

Patch management is the most fundamental of basics; however, the reality at local offices in Laos is that updates are sometimes impossible due to insufficient bandwidth. Procedures for offline updates should also be prepared.

☐ Item 24: Have you implemented a security awareness program for employees?

A comprehensive program—including phishing email drills, password management training, and physical security measures (such as restrictions on bringing in USB drives)—should be conducted at least twice a year.

☐ Item 25: Have you developed a backup and disaster recovery (DR) plan?

Data backups should be stored at multiple locations both within and outside the country. As Laos is also subject to natural disaster risks (such as flooding), physical distribution of storage should be taken into consideration. The Recovery Time Objective (RTO) and Recovery Point Objective (RPO) should be clearly defined.

The acceleration of legal development in Laos is backed by the existence of the ASEAN Digital Economy Framework Agreement (DEFA). The enforcement of the PDP Law is also part of this trend.

DEFA is a dedicated framework agreement that unifies digital trade rules within the ASEAN region. After 14 rounds of negotiations, agreement has been reached on 24 articles and 98 paragraphs (73% of the total) (Source: WEF, The Star). Signing is being targeted. It covers the following areas:

• Facilitation of cross-border data flows
• Interoperability of digital payments
• Cybersecurity cooperation
• Common principles for AI governance
• Consumer protection

ASEAN's digital economy is currently valued at approximately $300 billion, but with the successful implementation of DEFA, it is projected to grow to as much as $2 trillion by 2030 (Source: ASEAN official). Laos has a relatively small digital economy within ASEAN, but participation in DEFA has functioned as external pressure (and support) for the enactment of the PDP Law.

DEFA is based on the principle of "trust-based data distribution" and requires each country to maintain a minimum level of data protection. The enforcement of Laos's PDP Law is also a response to these DEFA requirements.

Now that the PDP Law has come into force, the next step for businesses is to prepare for the formulation of DEFA's detailed rules and domestic implementing regulations. Specifically:

1. Updating data mapping: Re-inventorying data flows to comply with the PDP Law's registration requirements
2. Reviewing data processing agreements: Updating contractual clauses to align with PDP Law requirements
3. Revising privacy policies: Multilingualization (Lao and English) to meet the PDP Law's transparency requirements
4. Registration with the data protection authority: Notifying processing activities to the data protection authority under MoTC

Even after the enforcement of the PDP Law, the development of subordinate regulations (government regulations) is ongoing, and further specific obligations are expected to be added going forward (Source: Rajah & Tann Asia).

Even in the era before a comprehensive data protection law existed, electronic data protection laws and cybercrime laws were firmly in place, with penalties for violations. Now that the PDP Law has come into effect, the perception that "Laos has no regulations" is a legal risk in itself.

In a case I personally witnessed, a foreign-affiliated company had transferred a customer database to servers outside Laos without authorization. When authorities launched an investigation, the company claimed they had been told there were no data protection laws in Laos — only recognizing the seriousness of the situation when confronted with the specific provisions of the electronic data protection law. The company ultimately received a corrective order and a fine.

Following the enforcement of the PDP Law, it is highly likely that responses to such cases will become even stricter. In addition to administrative penalties (LAK 25 million to 100 million), criminal penalties may also apply in cases of serious misconduct.

In Laos, ministerial administrative guidance (circulars and guidelines) can carry substantial regulatory force in practice, beyond the text of the law itself. The Ministry of Technology and Communications (MoTC, ກະຊວງເຕັກໂນໂລຊີ ແລະ ການສື່ສານ) is the competent authority for digital policy and also serves as the supervisory body for the PDP Law (Source: DLA Piper, MoTC InfoComm Asia). Guidance may be issued even on matters not explicitly stipulated in the law.

Recommended measures include:

• Regularly monitoring official announcements from MoTC
• Staying up to date through a retainer agreement with a local law firm
• Leveraging networks within industry associations (such as the Lao National Chamber of Commerce and Industry)

Many foreign companies operating in Laos share data with local partners (joint venture partners, agents, and subcontractors). The enforcement of the PDP Law has made the legal obligations for managing processors and subcontractors clearer. Common blind spots include:

• Management of data processing subcontractors: The PDP Law requires appropriate protective measures from data processing subcontractors as well. It is essential to verify that partners have implemented adequate security measures.
• Data return and deletion upon contract termination: This is often not explicitly stated in contracts.
• Restrictions on sub-processing: Addressing cases where partners further transfer data to third parties.
• Audit rights: Ensuring the right to verify partners' data management practices.

The Cybercrime Law (enacted in 2015) provides for imprisonment and fines, while the PDP Law stipulates administrative penalties (LAK 25 million to 100 million) and criminal penalties in cases of serious violations. Since the specific maximum terms of imprisonment and fines vary by provision, refer to the relevant articles for details on penalties (Sources: Digital Watch Observatory, DLA Piper).

Yes. The Lao National Assembly has passed and enacted the Personal Data Protection Law (PDP Law) (Source: Rajah & Tann Asia). While the previous Electronic Data Protection Law (2017) partially provided for the protection of personal data, the PDP Law has established a comprehensive legal framework. Like Thailand's PDPA and Vietnam's Personal Data Protection Decree, Laos has become one of the ASEAN countries with a comprehensive data protection law. Compliance is required across all three laws: the PDP Law, the existing Electronic Data Protection Law, and the Cybercrime Law.

At present, no notification or licensing regime specifically dedicated to AI use exists. However, where AI processes personal data, the PDP Law and the Electronic Data Protection Act apply. In addition, in regulated sectors such as finance, healthcare, and education, sector-specific regulations may extend to AI use. It is recommended to confirm requirements in advance with the relevant sectoral regulator. Note that the DEFA incorporates common principles for AI governance (source: WEF), and there is a possibility that regulations at the ASEAN level will be developed in the future.

PDP Law requires assessment and approval for cross-border transfers (Source: DLA Piper). The Electronic Data Protection Law also mandates individual consent for cross-border transfers. While specific procedures (equivalents to adequacy decisions and SCCs) are not defined in as much detail as under the GDPR, in practice, the minimum steps to be taken include verifying the data protection standards of the recipient, executing a data processing agreement, and notifying the data subject. It should be noted that the use of cloud services also constitutes a cross-border transfer. There is a possibility that subordinate regulations under PDP Law will add further specific requirements (Source: Rajah & Tann Asia).

The penalties vary depending on the applicable law. PDP Law primarily imposes administrative penalties (LAK 25 million to 100 million, equivalent to approximately JPY 150,000 to 600,000), with criminal penalties (including imprisonment) applicable in cases of serious violations. The Cybercrime Law (2015) stipulates imprisonment and fines for unauthorized access and data tampering (Sources: Digital Watch Observatory, Council of Europe).

While the monetary penalties themselves are not as substantial as those under the GDPR (4% of turnover), the more serious practical risks lie in the revocation of business licenses in Laos and the deterioration of relationships with authorities. Subordinate regulations under the PDP Law are still being developed, and the details of the penalties may be further clarified in the future.

Once you have completed the 25-item checklist, proceed with actions in the following order of priority.

1. Priority Classification of Unaddressed Items

2. Consulting Specialists

Engage a lawyer well-versed in Lao law to assess the specific application of the PDP Law and evaluate the risks associated with unaddressed items. Vientiane is home to branches of international law firms, including some that offer services in English and Japanese. Since subordinate regulations under the PDP Law are still being drafted, monitoring the latest developments is also important.

3. Deepen Your Knowledge with Related Articles

• Overview of AI Governance — A comparative look at global AI regulations, including the EU AI Act
• Laos AI Security Checklist — Details on technical security measures
• Laos Smartphone Fraud Prevention Guide — Real-world examples and countermeasures under the Cybercrime Law

4. Conducting Regular Reviews

Digital regulations in Laos are evolving rapidly. Keep a close watch on the development of subordinate regulations under the PDP Law, updates on the new Cybersecurity Law, and the signing and entry into force of DEFA, and review this checklist once per quarter.